While clearing out my drafts , came across a screenshot and the story I almost forgot .

What is National Testing Agency(NTA) ?

The National Testing Agency (NTA) is an autonomous body under Department of Higher Education of the Ministry of Education of India. The NTA is responsible for conducting numerous national-level exams for admission and fellowship in higher educational institutions related to engineering (JEE), medicine (NEET) and others.

Timeline:

June 2024: This timeframe coincided with significant media attention surrounding the NEET 2024 examination https://en.wikipedia.org/wiki/2024_NEET_controversy

April 2024: I was scrolling across the one of the subdomains of subdomain.nta.ac.in mostly not to find bugs but for personal work and discovered that one of NTA’s subdomains was built using the Laravel PHP framework. This observation was made through Wappalyzer (https://chromewebstore.google.com/detail/wappalyzer-technology-pro/gppongmhjkpfnbhagpmjfkannfbllamg?hl=en)

Based on “previous experience” with similar government websites, I suspected a common misconfiguration pattern: the exposure of environment configuration files. Laravel applications typically store sensitive configuration data, including database credentials, in .env files.

So why not try to fuzz ? :)

Vulnerability Confirmation

A simple directory traversal attempt revealed that the .env file was publicly accessible:

[subdomain].nta.ac.in/.env

This file contained sensitive database connection parameters, including:

• Database server addresses
• Authentication credentials
• Connection strings
• Other sensitive configuration data

Database Access Verification

Using standard database management tools (DBBeaver, DBvisualizer), I was able to establish a connection to NTA’s database infrastructure using the exposed credentials. This confirmed full read/write access to the database systems.

Responsible Disclosure Process

Given the critical nature of this vulnerability and its potential impact on I immediately initiated the responsible disclosure process to CERT-In(Computer Emergency Response Team) and it was acknowledged by them .

That’s all from my end . Hope you Enjoyed Reading !!